Field
Embodiments of the present invention generally relate to the field of network security techniques. In particular, various embodiments relate to security information and event management (SIEM) based on asset attributes of a network.
Description of the Related Art
A large computer network may comprise hundreds of client computers, servers and other network devices that may be located at different places. Multiple security devices, including, but not limited to firewalls, antivirus devices, Intrusion Prevention System (IPS) devices or Unified Threat Management (UTM) devices, can be deployed to regulate network access and protect the network from attacks. The security devices may use log files to track important network activities they capture. When the administrator of a large computer network wants to know the status of the whole network, a SIEM device may be deployed to collect all the logs from the multiple security devices. The SIEM device may send out an alarm to the administrator when a high risk event is received. The SIEM device may also generate a report to show the status of the network, such as the number, targets and sources of attacks that have been captured within a certain period. However, when a large number of security devices are deployed in a network, a SIEM device may generate too many alarms in view of the many security events collected from the security devices. Thus, there is a need for improved SIEM devices that report only those security events deemed most important to the network administrator.